McAfee VirusScan Enterprise Insecure Library Loading Vulnerability

Secunia Advisory SA41482

Log in with your Secunia community profile. If you are an IT security professional, request a trial of the Secunia VIM.

Impact:

Log in with your Secunia community profile. If you are an IT security professional, request a trial of the Secunia VIM.

Solution Status:

Log in with your Secunia community profile. If you are an IT security professional, request a trial of the Secunia VIM.

Software:

Log in with your Secunia community profile. If you are an IT security professional, request a trial of the Secunia VIM.

CVE Reference(s):

Log in with your Secunia community profile. If you are an IT security professional, request a trial of the Secunia VIM.

Description

Parvez Anwar has discovered a vulnerability in McAfee VirusScan Enterprise, which can be exploited by malicious people to compromise a user's system

Log in with your Secunia community profile to view the full description of this Advisory. If you are an IT security professional, request a trial of the Secunia VIM.

If you are not a member of the Secunia community, you can sign up here for free.

Do you have additional information related to this advisory?

Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this
information to vuln@secunia.com

Correct me if I am wrong, but it looks like there is a false positive for Virusscan v.8.7.x
I have version 8.7.0.973 and the advisory says to upgrade to 8.7.i (now doesn't this mean that this version is covered) . Thanks.

The string "8.7i" (not "8.7.i") is a part of the software's name. It is a release version, not a software version number. Whatever Secunia has done to result in its software reporting VisurScan Enterprise 8.7i as insecure based on "8.7i" or "8.7.i" as the software version number is likely resulting in all versions of this particular software release being labelled as insecure, even when they're not. As such, this would be a false positive, as suggested by floyd413. I have personally experienced the same behavior with PSI, and I believe it will quickly become a concern at work, where CSI is being deployed and VirusScan is the de facto anti-virus solution.

I echo what davis157 and floyd413 said! My VirusScan is current, and I even tried to update it just to see what it would do. Predictably, it says I already have the current version. Secunia's reporting is indeed a false positive here.

For those experiencing this issue, can you pleaes confirm that, although 8.7.0.i is shown in the 'About' tab, or where the program displays the version information, the version is detected as 8.7.0.973, and that this is not the version number that was detected before running the update?

Hi,
I can confirm. When you right click virus scan icon and click about it gives a window with bold print at the top "VirusScan Enterprise + AntiSpyware Enterprise 8.7.0i"
When I scan with Secunia PSI it says next to detected instances "8.7.0.973" and underneath says "Latest Version patching one or more vulnerabilities: 8.7i"

If anyone else sees this please chime in. It looks like we might be able to change the detection rules to reflect that this is indeed an updated version.

"8.7i" and "8.7.0i" are both displayed in VirusScan's About window (not tab) as part of the product's name. There is no reference to 8.7.0.973 in this window.

PSI is reporting this path as the determining factor:

C:\Program Files\McAfee\VirusScan Enterprise\scan32.exe

Next to this, it reports 8.7.0.973. What's confusing is that, at least on my system, the file version of scan32.exe is actually 8.7.0.893; there are only three files in the same folder with file version 8.7.0.973:

bbcpl.dll
shstat.exe
vsplugin.dll

So where is PSI obtaining the file version and if it's not scan32.exe, why is this displayed as the problematic file?

The file version is typically incremented for a particular release of VirusScan when a patch is applied. 8.7.0.973 seems to correspond to Patch 5. Are we to infer that if we're running the 8.7i release, any installation which does not have Patch 5 applied is vulnerable?

To add even more confusion to the situation, I just heard from someone at work running CSI. Among the releases of VirusScan Enterprise they have installed is 8.7i, and CSI reports the version as 8.7.0.747 (which I believe even pre-dates patch 2, the earliest version to which I have access). CSI does not report any problems with this installation.

So it's not just me. It seems anyone who uses Mcafee Enterprise 8.7i gets this false positive. There is no way of getting rid of it other than to upgrade to the next Mcafee version 8.8, although this is in no way a security patch, but rather a feature version from Mcafee. Secunia, please look into this and get the rules change to reflect the accuracy, or if there is a reason for 8.7 to be marked as insecure, please let us know.
Thanks,
Floyd

OK, I'm still having the same issue. I have tried recanning, rebooting and rescanning again - not just the program but the PC. I also downloaded the latest Superdat file, containing the latest engine and updates. The update said I'm already running the latest engine and dats. Now what?

Secunia detected my version as 8.7.0.973, what does it detect your version as? I am assuming different. Also what is your scan engine version (under about mcafee), mine is 5400.1158. I guess Secunia can see if it differs and whether that is a secure version or if it is another false positive. I'm guessing Secunia might have just added my exact version instead of 8.7.x.x as secure, it is saying 8.7.0.973 is secure, but I could be wrong.

According to our database the latest "McAfee VirusScan Enterprise 8.7i" secure version has the detected version number of 8.7.0.973.

If you have any issues with your version being detected wrong, please do not hesitate to contact Secunia Support, preferably with attached screenshots of both the scan result and the file details of the detected file (to get these, navigate to the folder where the insecure file is located, right-click on the file, select properties, and go into the details tab). Please also make sure that the detected version is not in fact files lingering from a previous installation.

My scan engine version is 5400.1158. Secunia detected version 8.7.0.893, so Floyd, it looks like you are correct. Our detected versions are slightly different, and evidently Secunia used your exact version as secure instead of 8.7.x.x. Thank you for shedding this bright light on the issue!!

Jais, can you correct the rules given this information, or do you still need me to send you screenshots? What email address would you need me to send them to if that is the case?

Thanks for your diligence. They now for some reason require you to contact them directly, where they changed mine by simply posting on the forum. But whatever works to get this thing sorted. A few of my installations aren't at patch 5 so this helps with the false positives.